b'    AUDIT OF NARA\'S \n\nCHANGE CONTROL PROCESS \n\n\n   OIG Report No. 09-09 \n\n\n\n\n\n       May 11, 2009 \n\n\x0c                                                                               OIG Audit Report No. 09-09\n\n\nEXECUTIVE SUMMARY\n\nThe National Archives and Records Administration (NARA) Office oflnspector General\n(OIG) completed an audit ofNARA\'s Change Control Process. Change Control is a\nformal process used to ensure that changes to Information Technology (IT) systems are\nintroduced in a controlled and coordinated manner and are assessed and approved by\nmanagement before their implementation. During the audit, we assessed the process to\ndetermine whether NARA authorizes, documents, tests, and controls changes to their\ninformation systems. To accomplish our review, we selected nine operational systems,\nwhich had recent system changes and/or supported NARA\'s core mission. For each of\nthese systems, we evaluated a sample of system changes.\n\nTo adequately manage the change control process, NARA must put controls in place to\nprevent, detect, and correct unauthorized or unintended changes to their information\nsystems. According to the National Institute of Standards and Technology (NIST), a\nchange control process should involve a systematic proposal, justification,\nimplementation, test/evaluation, review, and disposition of all changes to an information\nsystem.\n\nOur review found that NARA did not authorize, document, test, and control all changes\nto their information systems. Specifically, we found NARA did not always\n\n         Authorize or document all system changes; \n\n         Complete security impact analysis prior to approving and implementing changes; \n\n         Fully test changes prior to implementation; \n\n         Adequately manage and control emergency changes; and \n\n         Employ automated mechanisms to document proposed changes to high impact! \n\n         systems. \n\n\nA formalized and rigorously enforced change control process brings uniformity and\nstructure to the function. Ultimately, this very process serves to ensure conformity with\nNIST guidance and most importantly protect the integrity and content oflT systems and\nthe data residing upon them. Conversely, a decentralized, laissez-faire approach may\nadversely impact an organization, such as NARA.\n\nEstablishing controls over the modification of information systems helps to ensure that\nonly authorized programs and authorized modifications are implemented. Without\nproper controls, there is a risk security features could be inadvertently or deliberately\nomitted or "turned off\' or that processing irregularities or malicious code could be\nintroduced. This places NARA at risk of disruption, fraud, or inappropriate disclosure of\nsensitive information. Also, without a formal review process, rapid changes to\ninformation systems could result in unforeseen technical problems or the use of\ninadequate risk analysis and testing. Finally, weaknesses in the change control process\n\n\n1 A high impact system is an infonnation system in which at least one security objective (confidentiality,\nintegrity, and availability) is rated as high.\n                                                  Page 1\n                               National Archives and Records Administration\n\x0c                                                                       GIG Audit Report No. 09-09\n\n\ncould limit NARA\'s ability to effectively protect the confidentiality, integrity, and\navailability of its systems and information.\n\nWe made nine recommendations that when implemented will improve NARA\'s change\ncontrol process and enhance the security ofNARA information systems.\n\n\n\n\n                                           Page 2\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-09\n\n\nBACKGROUND\n\nFederal Information Processing Standards Publication (FIPS PUB) 200, Minimum\nSecurity Requirements for Federal Information and Information Systems, specifies\nminimum security requirements for federal information systems. FIPS PUB 200 directs\nfederal agencies to meet the minimum security requirements through the use of the\nsecurity controls outlined in NIST Special Publication (SP) 800-53, Recommended\nSecurity Con troIs for Federal Information Systems. One of the controls outlined in NIST\nSP 800-53 is configuration change control, which involves the systematic proposal,\njustification, implementation, test/evaluation, review, and disposition of changes to the\ninformation system, including upgrades, and modifications.\n\nThe selection of appropriate security controls is a risk-based activity that should take into\nconsideration the security categorization (i.e. High, Moderate, and Low) of each\ninformation system. For example, systems identified as high impact should have more\nstringent controls than systems identified as low impact. NIST SP 800-53 provides\ndifferent levels of controls for each categorization, such as the supplemental guidance\nand control enhancements for moderate and high risk systems. FIPS 200 also requires\norganizations to develop and promulgate formal, documented policies and procedures\ngoverning the minimum security requirements set forth in FIPS 200 and must ensure their\neffective implementation.\n\nNARA has developed various levels of guidance, polices, and procedures relating to\nchange controls. For instance, the Enterprise Architecture (EA) Configuration\nManagement Procedures specifies the procedures used to establish, modify, and manage\nall EA work products. In addition, NARA\'s System Development Lifecycle directive\nincludes Configuration Management Guidelines for the implementation and maintenance\nofNARA IT systems. Finally, NARA\'s IT Security Policy states that for moderate or\nhigh integrity information systems, NARA:\n\n   Monitors changes to each information system and conducts security impact analyses\n   to determine the effects of the changes.\n   Approves individual access privileges and enforces physical and logical access\n   restrictions associated with change to each information system and generates, retains,\n   and reviews records reflecting all such changes.\n\nPrior audit reports and reviews have identified weaknesses in NARA\'s configuration\nmanagement. Since 2004, weaknesses in Configuration Management have been\nidentified as a reportable condition on the each of the annual audits ofNARA\'s Financial\nStatements. Some of these weaknesses were related to NARA\'s Change Control Process.\nIn particular, proper approvals were not obtained for changes to NARANet and the\nRecords Center Program Billing System (RCPBS). Also, a review conducted by Science\nApplications International Corporation (SAlC), found that while NARA policies provide\nguidance on management, operational, and technical security mechanisms, they are\nneither comprehensive nor specific enough to NARA to be measurable or enforceable. In\naddition, NARA policies are only partially implemented.\n\n                                           Page 3\n                        National Archives and Records Administration\n\x0c                                                                               OIG Audit Report No. 09-09\n\n\n\n\nThe responsibilities associated with NARA\'s Change Control Process mainly fall under\nthe Office ofInformation Services (NH). Specifically, the Information Technology\nServices Division (NHT) is responsible for coordinating and implementing upgrades and\nenhancements to NARA\'s existing infrastructure and the System Development Division\n(NHV) helps develop major enhancements of information technology (IT) applications\nand systems. In addition, some system owners outside ofNH are responsible for\nmanaging their system\'s Change Control Process.\n\n\nOBJECTIVE, SCOPE, METHODOLOGY\n\nThe objective of this audit was to determine whether NARA authorizes, documents, tests,\nand controls changes to its information systems. Specifically, we determined whether the\nNARA change control process included (a) documenting, approving, testing, and\nreviewing of system changes; (b) security impact analysis; and (c) adequate management\nand control of emergency changes.\n\nWe examined applicable laws, regulations, NARA guidance, and other IT-related\nguidance, including (a) FIPS PUB 200, Minimum Security Requirementsfor Federal\nInformation and Information Systems; (b) NIST SP 800-53, Recommended Security\nControls for Federal Information Systems; (c) NIST SP 800-53A, Guidefor Assessing\nthe Security Controls in Federal Information Systems; (d) Government Accountability\nOffice (GAO) Federal Information System Controls Audit Manual; (e) NARA 812,\nEnterprise Architecture; and (f) NARA 805, Systems Development Lifecycle.\n\nTo accomplish our objective, we reviewed NARA\'s change control activities and\ndocumentation and selected a sample of information systems to perform detailed audit\ntests. We reviewed nine2 operational NARA systems, which had system changes during\nthe six month period prior to audit field work and/or directly supported NARA\'s mission.\nFor each ofthese systems, we selected a judgmental sample of system changes to review.\nThis sample included 52 system changes. We also met with system owners and other\nofficials involved in the change control process. The review of the selected systems and\nsystem changes allowed us to conduct a program level review ofNARA\'s change control\nprocess.\n\nOur audit work was performed at Archives II in College Park, MD between June 2008\nand December 2008. We conducted this performance audit in accordance with generally\naccepted government aUditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n2   See Attachment I for a list of systems reviewed.\n                                                   Page 4\n                                National Archives and Records Administration\n\x0c                                                                              OIG Audit Report No. 09-09\n\n\nFINDINGS AND RECOMMENDATIONS\n\nSystem Changes Not Always Documented and Approved\n\nNARA has not authorized and documented all changes to their infonnation systems. This\ncondition occurred because NARA has an infonnal and decentralized change control\nprocess. In addition, some NARA policies and procedures are outdated. By not\nauthorizing and documenting changes, there is a risk that unauthorized programs and\nmodifications could be implemented or security features could be unknowingly altered.\n\nNIST SP 800-53, Recommended Security Controls for Federal Information Systems,\nrequires agencies to authorize, document, and control changes to infonnation systems.\nTo meet this requirement, NIST SP 800-53 provides supplemental guidance, which states\nthe organization should manage changes using an organizationally approved process,\nsuch as a chartered Configuration Control Board (CCB). The supplemental guidance also\nstates that configuration change control involves the systematic proposal, justification,\nimplementation, test/evaluation, review and disposition of changes to the infonnation\nsystem, including upgrades and modifications.\n\nHowever, we found that NARA has not authorized and fully documented all changes to\ntheir infonnation systems. For example, approvals were not documented for over 63%\n(33 of 52) ofthe change requests reviewed. In some instances, the documentation of\napproval was not included in their change control procedures. In addition, some of the\nchanges were not fully documented. For instance, one system maintained their list of\nchanges in Microsoft Excel. However, this list provided limited detail or infonnation\nregarding each change.\n\nThis occurred because NARA has a decentralized change control process with varying\ndegrees offonnality. For instance, the Network and Infrastructure Systems CCB reviews\nand approves changes that affect NARANet, whereas individual application CCBs review\nand approve application changes. These application CCBs have different change control\nprotocol and procedures. For example, some system changes3 are approved during CCB\nmeetings and are not documented in a fonnal change request fonn. The use of a\nstandardized change request fonn helps ensure requests are clearly communicated and\napprovals are documented. In other cases, the change request documentation indicated\nCCB approval was not needed. These reasons included:\n    A member ofthe Technical Review Board detennined that the change did not require\n    CCB approval.\n    The requested change was a critical security related issue and was automatically\n    granted CCB approval.\nConsequently, approvals ofNARA system changes were not always documented.\n\nIn addition, four ofthe systems reviewed (AERIC, CMRS, PERL, and PPMS) had not\ndeveloped or documented sufficient change control procedures. . In some cases4 , a CCB\n\n3   This was noted for the eDGCS and AERIC systems.\n4   This was noted in the charters for CMRS, PERL, and PPMS.\n                                                  Page 5\n                               National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 09-09\n\n\ncharter or plan was developed; however, it did not fully address change control policies\nand procedures, such as who can authorize a modification and how these authorizations\nshould be documented. When asked why a Configuration Management Plan was not\ndeveloped, one system manager stated a determination was made that procedures were\nnot needed. However, during audit fieldwork, the contractor was tasked by management\nwith developing a Configuration Management Plan for that system\n\nFinally, some confusion may be attributed to the use of an older NIST Handbook.\nSpecifically, in the IT Security Mechanisms document ofNARA\'s Enterprise\nArchitecture, it states that NARA\'s configuration management will be based on NIST SP\n800-12 5, An Introduction to Computer Security, which describes configuration\nmanagement as the process of keeping track of changes to the system, and if needed,\napproving them. However, NIST considers this publication to be a broad overview of\ncomputer security that discusses the benefits of various security controls. Although\nuseful to learn the basics of computer security, this document was written in 1995 and\ndoes not specify requirements or describe the detailed steps necessary to implement a\ncomputer security program.\n\nEstablishing controls, such as adequate documentation and approvals, over the\nmodification of application software programs helps to ensure only authorized programs\nand authorized modifications are implemented. Without proper controls, there is also a\nrisk that security features could be inadvertently or deliberately omitted or "turned off\' or\nthat processing irregularities or malicious code could be introduced.\n\nRecommendation 1\n\nWe recommend the CIO enforce a more formal and centralized change control process.\n\nRecommendation 2\n\nWe recommend the CIO ensure all systems have adequate and documented change\ncontrol procedures.\n\nManagement Comment(s)\n\nManagement concurred with the recommendations.\n\n\n\n\n5 NIST 800-53, Recommended Security Controls for Federal Information System, provides more\ncomprehensive and updated recommendations for change controls.\n                                            Page 6\n                         National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 09-09\n\n\nSecurity Analysis Not Conducted\n\nNARA did not always complete or document the security impact analysis prior to\napproving and implementing changes to their information systems. This occurred\nbecause NARA\'s change control procedures and guidance do not require a security\nanalysis. Also, the Request for Change (RFC) form 6 does not include a space to\ndocument adjustments or potential impacts to security resulting from the proposed\nchange. Without a security impact analysis, changes could be introduced into NARA\nsystems that increase the risk of a security incident.\n\nWe found that NARA did not always complete or document the security impact analysis\nprior to approving and implementing changes to their information systems. Specifically,\nin our review of 52 change requests, at least 44 were approved without any documented\nreview of a security impact analysis. These change requests were for systems rated as\nmoderate or high impact systems and these weaknesses were noted for each of the nine\nsystems reviewed.\n\nFor systems classified as Moderate and High impact, NlST SP 800-53 requires that\napprovals to implement a change to an information system include successful results\nfrom the security analysis ofthe change. Also, NARA\'s Enterprise Architecture IT\nSecurity Policy states that NARA conducts security impact analyses to determine the\neffects of system changes for moderate or high integrity systems. However, NARA\'s\nchange control procedures and guidance do not require security analysis prior to\nimplementing changes. NARA\'s Configuration Management Procedures and Systems\nDevelopment Guidelines only require an impact assessment, which includes changes in\nscope, cost, schedule, resource needs and integration ramifications. Security is not\nincluded as a requirement of this impact assessment. Management stated that this was an\noversight in the policy.\n\nFurther, the RFC form that most systems use to document system changes does not\ninclude a space to document adjustments or potential impacts to security resulting from\nthe proposed change. The Information Technology Operations Chief agreed that security\nimpact could be added to the RFC form.\n\nSome system owners stated that not all changes affect system security and if there had\nbeen any security related changes, the IT Security Staff (NHI) would have been\ncontacted. However, such information was not noted in the documentation of system\nchanges for systems such as CMRS, AERIC, and ARC.\n\nManagement agreed that a formal security impact analysis was not part of their change\ncontrol process. Impacts to security are usually considered before implementing system\nchanges, but are not always documented. Instead, a member ofNHI generally attends the\nCCB meetings and is aware of some system changes. We were also informed that within\n\n6 The Request for Change form is used to track and manage system changes requiring formalized\nassessments and approvals. This form is used for changes reviewed and approved by the Network\nInfrastructure CCB.\n                                                Page 7\n                           National Archives and Records Administration\n\x0c                                                                      GIG Audit Report No. 09-09\n\n\nthe last year the Security Operations Manager was included in NARANet system change\nreviews. We found he had reviewed at least two system changes included in the sample.\nHowever, this does not adequately fulfill the requirement for a security impact analysis.\n\nChanges to an information system can have a significant impact on the security of the\nsystem. Documenting information system changes and assessing the potential impact on\nthe security of the system is an essential aspect of maintaining the security posture. An\neffective control policy and associated procedures are essential to ensuring adequate\nconsideration of the potential security impact of specific changes to a system.\n\nWithout a security impact analysis, changes could be introduced into NARA systems that\nincrease the risk of a security incident. By not documenting or requiring a security\nanalysis, NARA lacks assurance that proposed changes could adversely affect IT system\nsecurity.\n\nRecommendation 3\n\nWe recommend the CIO enforce and if necessary update NARA procedures to require\nsecurity analysis prior to implementing system changes and provide guidance for when a\nsecurity analysis is warranted.\n\nRecommendation 4\n\nWe recommend NHT modify the Request for Change (RFC) form to include a space to\ndocument adjustments or potential impacts to security.\n\nManagement Comment(s)\n\nManagement concurred with the recommendations.\n\n\nInadequate Testing of Changes\n\nNARA did not adequately test all changes prior to introducing them into IT systems as\nsuggested by Federal regulations. This occurred because of a lack of guidance regarding\nthe testing of system changes. Inadequate testing can have a significant impact on system\ndata reliability and availability.\n\nAccording to NIST SP 800-53 adequate configuration change control involves systematic\ntesting of system changes. The Federal Information System Controls Audit Manual\n(FISCAM), states that a disciplined process for testing and approving new and modified\nprograms prior to their implementation is essential to make sure programs operate as\nintended and that no unauthorized changes are introduced. The extent of testing varies\ndepending on the type or extent of the proposed modification.\n\n\n\n                                          Page 8\n                       National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-09\n\n\nA detailed test plan should be developed for each modification defining the levels and\ntypes of tests to be performed. Because testing is an iterative process, it is important to\nadhere to a formal set of procedures or standards. All test data, transactions, and results\nshould be saved and documented to facilitate future testing of other modifications and\nallow a reconstruction if future events necessitate a revisit of the actual tests and results.\nAlso, test plans should be approved by all responsible parties.\n\nHowever, we found that NARA did not adequately test all changes prior to\nimplementation. Specifically, test plans were not developed or maintained for 31 of the\n52 system changes reviewed. Weaknesses were noted in all but one (ADRRES) of the\nsystems reviewed. In many instances, the RFC form, which requires a complete listing of\nall steps and tests to be performed to assure that the intended results of the change have\nbeen achieved, simply stated "to be determined". When asked for these test plans, none\nwere provided. In some cases, it was the responsibility of the contractor to develop such\ntest plans, but none were developed or could be provided. A contractor monitoring\nprocess is in place; however, when a deficiency is noted, follow up is not always\ncompleted to ensure the contractor corrects the problem.\n\nNARA also lacked documentation and assurance that testing was completed prior to\nintroducing the system change into the production environment. Documented test results\ncould only be provided for three7 ofthe 52 system changes reviewed.\n\nWhen asked why test plans and results were not documented, some system owners stated\nthat change requests were of low complexity and did not need a formalized test plan.\nHowever, this was not documented in the request documentation. Additionally, some\nsystems do not have a test environment; therefore, testing cannot be done prior to\nimplementing the change into the production environment. Also, some changes can only\nbe testing once it has been placed into production and not prior. Consequently, a backup\nplan or a rollback plan is developed, in case problems are encountered during the\nimplementation. Finally, there appears to be limited guidance on developing test plans\nand documenting or maintaining the test results.\n\nMinor modifications may require less extensive testing; however, changes should still be\ncarefully controlled and approved since relatively minor program code changes, if done\nincorrectly can have a significant impact on overall data reliability and availability. For\nexample, in the system changes reviewed, at least two that were inadequately tested\ncaused a delay or disruption for system users. By not adequately testing changes prior to\nimplementation, NARA takes a chance that changes introduced to its systems could\nadversely affect security and data.\n\nRecommendation 5\n\nWe recommend that the CIO require the test plans and test results to be documented and\nmaintained.\n\n\n7   The three changes were for the ADRESSIURTS, CMRS, and NARANet systems.\n                                                 Page 9\n                              National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-09\n\n\n\n\nRecommendation 6\n\nWe recommend that the CIO develop guidance to aid in\n   Developing test plans;\n   Determining if a test plan is required and how to, document the decision if one is not\n   required; and\n   Maintaining the test results.\n\nManagement Comment(s)\n\nManagement concurred with the recommendations.\n\n\nEmergency Changes Not Adequately Controlled\n\nNARA did not adequately manage and control emergency or urgent changes to their\ninformation systems as required by NIST. This condition occurred because NARA has\nnot established or mandated any additional controls for emergency change procedures.\nDue to the critical nature of emergency changes, additional controls are needed to reduce\nthe risk of suspending or abbreviating normal controls and to prevent disruptions to IT\nsystems.\n\nDuring our review, we found that NARA does not adequately manage and control\nemergency or urgent changes. For instance, emergency change procedures have not been\ndeveloped or documented for all NARA information systems. Ofthe nine systems\nreviewed, only three (ARC, ENOS, and NARANet) had additional procedures for\nemergency changes. It is important to follow established procedures for emergency\nchanges to reduce the risk of suspending or abbreviating normal controls. For most\nsystems reviewed, post-emergency reviews were not required and consequently were not\nconducted for all emergency changes. As a result, additional controls are not in place for\nemergency changes.\n\nFurthermore, similar to non-emergency changes, approval of change requests was not\nalways documented and sufficient testing and security analysis was not conducted prior\nto implementation. In particular, we noted these weaknesses for the following systems:\nAERIC, ARC, eDOCS, ENOS, NARANet, and PERL.\n\nFor systems classified as Moderate and High, NIST SP 800-53 requires that the\norganization include emergency changes in the configuration change control process,\nincluding changes resulting from the remediation of system flaws. In addition, the\nFISCAM states that emergency procedures should specify the following:\n           When emergency software changes are warranted;\n           Who may authorize emergency changes;\n\n                                         Page 10\n                       National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 09-09\n\n\n\n             How emergency changes are to be documented; and\n             Within what period after implementation the change must be tested and\n             approved.\n\nFISCAM also states logs of emergency changes and related documentation should be\nperiodically reviewed by data center management or security administrators to determine\nwhether all such changes have been tested and received final approval.\n\nNARA has not established or mandated any additional controls for emergency change\nprocedures. Specifically, NARA policies, procedures, and guidance related to change\ncontrols do not address emergency changes. We found three systems with procedures for\nemergency changes. However, NARA did not require system owners or project\nmanagers to develop or document additional control procedures related to emergency\nchanges.\n\nWhen asked about emergency changes, most system owners and project managers stated\nthat their systems did not have emergency changes and therefore, felt that emergency\nchange procedures were not necessary. However, due to the critical nature of emergency\nchanges, additional controls are needed to reduce the risk of suspending or abbreviating\nnormal controls. Pressure to make rapid changes to systems without a formal review\nprocess often result in a critical system failure due to unforeseen technical problems.\n\nRecommendation 7\n\nWe recommend\n\n       (a)          CIO strengthens system change control policies and procedures to\n                    include emergency change control procedures.\n\n       (b)          System owners implement additional procedures to control emergency\n                    changes.\n\nManagement Comment(s)\n\nManagement concurred with the recommendations.\n\n\n\n\n                                           Page 11\n                         National Archives and Records Administration\n\x0c                                                                       DIG Audit Report No. 09-09\n\n\nAutomated Mechanisms Not Always Used\n\nNARA does not always employ automated mechanisms to document proposed changes to\nHigh impact systems. This occurred because NARA does not require all systems or all\nsystems categorized as High impact, to use PVCS Tracker or another automated\nmechanism to manage system changes. Without these mechanisms, NARA High impact\nsystems are not as secure and there is an increased risk of unauthorized changes.\n\nFor systems categorized as High impact, NIST SP 800-53 requires organizations to\nemploy automated mechanisms to (a) document proposed changes to information\nsystems; (b) notify appropriate approval authorities; (c) highlight approvals that have not\nbeen received in a timely manner; (d) inhibit change until necessary approvals are\nreceived; and (e) document completed changes to the information system.\n\nNARA does not always employ automated mechanisms to document proposed changes to\nHigh impact systems. Specifically, automated mechanisms to document proposed and\ncompleted changes were not employed for three NARA systems (AERIC, eDOCS, and\nPERL) categorized as High impact. Instead, these systems use non-automated\nmechanisms, such as meeting notes and Excel spreadsheets.\n\nThis occurred because NARA does not require or enforce all systems or all systems\ncategorized as High impact, to use PVCS Tracker or another automated mechanism to\nmanage system changes. In some cases, automated mechanisms may not be cost\neffective for systems that do not have major system enhancements, such as AERIC.\nHowever, if automated mechanisms are not employed, additional controls should be in\nplace to prevent unauthorized changes. These controls include restricting access to\nimplementing changes and reviewing access logs to ensure unapproved changes are not\noccurring.\n\nAutomated mechanisms can notify appropriate approval authorities; highlight approvals\nthat have not been received in a timely manner; and inhibit change until necessary\napprovals are received. Without these mechanisms, NARA High impact systems are not\nas secure and there is an increased risk of unauthorized changes.\n\nRecommendation 8\n\nWe recommend the CIO either require systems categorized as High impact to use an\nautomated system (such as PVCS Tracker) or implement additional controls.\n\nManagement Comment(s)\n\nManagement concurred with the recommendation.\n\n\n\n\n                                          Page 12\n                        National Archives and Records Administration\n\x0c                                                                                                                              OIG Audit Report No. 09-09\n\n\n\n\n                                                  ATTACHMENT 1: NARA Systems Reviewed\n\n  System           Full Name                       Description                     Impact      System      Documentation         Security         Testing\n Acronym                                                                            Level     Changes      and Approval          Analysis        Weaknesses\n                                                                                              Reviewed      Weaknesses          Weaknesses\nADRRES        Archival               Automates the process of reviewing             High         1\n              Declassification       and redacting sensitive and classified                                                          X\n              Review and             materials\n              Redaction System\nAERIC         Archival Electronic    Preserves the logical structure of             High         8\n              Records Inspection     databases, and verifies that the records                                     X                  X                    X\n              and Control            received are those supported by the\n                                     accompanying documentation\nARC          Archival Research       Online catalog ofNARA holdings               Moderate       3\n             Catalog                                                                                              X                  X                X\nCMRS         Case Management         Provides workload management and               High         4\n             and Reporting           processes to fulfill requests for military                                                      X                X\n             System                  records\neDOCS        Electronic Document     Automates the creation of the daily            High         9\n             Management System       Federal Register                                                             X                  X                X\nENOS/         Expanding NARA         Supports ordering and fulfilling of          Moderate       7\nOrder         Online Services        selected records reproductions online                                        X                  X                X\nOnline\nNARANet      NARA Network            Primary general support system,                High         12\n                                     providing standard desktop applications                                      X                  X                X\n                                     and Internet access to NARA staff\nPERL         Presidential            Used to ingest and provide internal            High         4\n             Electronic Records      access to the Presidential electronic                                                           X                X\n             Library                 records\nPPMS         Personal Property       Provides property asset management           ModerateS      4\n             Management System       for all NARA\'s personal property                                             X                  X                    X\n\n\n\nS PPMS was categorized as "Low" on the system inventory; however, the revised Contingency Plan (dated August 22, 2008) rates the system as "Medium" for\ndata integrity. Using the high water method described in FIPS 199, we consider this system to be Moderate.\n\n                                                                       Page 13\n                                                     National Archives and Records Administration\n\x0c                                                                                            Appendix A\n\n                       National Archives and Records Administration\n                                                                                          8601 Adelphi Road\n                                                                         College Park, Maryland 20740-6001\n\n\n                 MAY    5 2009\nDate:\n              OfFe of the Inspector General (OIG)\nTo:\n             Jffice of Information Services (NH)\nFrom:\n             Revised Draft Report 09-09, Audit ofNARA\'s Change Control Process \n\nsubject\xc2\xb7 \n\n             We have reviewed the revised draft OIG Report No. 09-09, March 10,2009, titled Audit of\n             NARA\'s Change Control Process. We want to thank the auditor for meeting with NH staff to\n             discuss the first set of comments sent to OIG on April 10, 2009. The changes that were made\n             to the report following the meeting have resulted in our accepting the recommendations as\n             written, or, in some cases, revised as agreed to in the meeting. We have copied the\n             recommendations on the following pages and provide our concurrence on them individually.\n             Ifwe have incorrectly copied the updated text from the revised report e-mailed to us on\n             April 29, 2009, please let us know.\n\n             Please thank Christine Dzara for working with us on revision to the original draft, and we look\n             forward to working with her on developing an acceptable action plan once we receive the\n             report in final. If you have any questions about our response, please call me or Steve Heaps\n             on 837-3170.\n\n\n\n\n             Assistant Archivist for Information Services\n\n\n\n\n                                     NARA\'s web site is http://www.archives.gov\n\x0c                                                                                   Appendix A\n\n\n\n  Recommendation 1: We recommend the CIO enforce a more formal and centralized\n  change control process.\n\n  We concur with the recommendation. \n\n\n  Recommendation 2: We recommend the CIO ensure all systems have adequate and \n\n  documented change control procedures. \n\n\n We concur with the recommendation. \n\n\n Recommendation 3: We recommend the CIO enforce and if necessary update NARA \n\n procedures to require security analysis prior to implementing system changes and \n\n provide guidance for when a security analysis is warranted. \n\n\n We concur with the recommendation .. \n\n\n Recommendation 4: We recommend NHT modify the Request for Change (RFC) form \n\n to include a space to document adjustments or potential impacts to security. \n\n\n We concur with the recommendation. \n\n\n Recommendation 5: We recommend that the CIO require the test plans and test results \n\n to be documented and maintained. \n\n\n We concur with the recommendation. \n\n\nRecommendation 6: We recommend that the CIO develop guidance to aid in \n\n   Developing test plans; \n\n   Determining if a test plan is required and how to, document the decision if one is not \n\n   required; and \n\n  Maintaining the test results. \n\n\nWe concur with the recommendation.\n\nRecommendation 7: We recommend\':\n\n            (a) CIO strengthen system change control policies and procedures to\ninclude emergency change control proce<dures.\n\n            (b) System owners implement additional procedures to control emergency\nchanges.\n\nWe concur with the recommendation.\n\n\n\n\n                          N A R A\'s wph   .~jtp i.~   httn \'//www nrr.hivps 9\'nv\n\x0c                                                                    Appendix A\n\n\nRecommendation 8: We recommend the CIO either require systems categorized as\nHigh impact to use an automated system, such as PVCS Tracker, or implement\nadditional controls.\n\nWe concur with the recommendation.\n\n\n\n\n                      NARA \'s web site is http://www.archives.gov\n\x0c'